Cyber security
Contact company icon Add as a preferred source Download PDF version
Related Links

The International Maritime Cyber Security Organisation (IMCSO), an independent maritime standards organisation, has released its cybersecurity testing methodology for those maritime vessels looking to assess their risk and join the Cyber Risk Registry, a risk register database maintained by the IMCSO.

The methodology aims to provide IMCSO-accredited cyber consultants and the senior maritime personnel they will be assessing with standardised testing by outlining test scope and the language to be used to ensure tests are planned, executed and reported effectively.

Quality of cyber risk assessments

Currently there is no standard in the maritime sector for governing the quality of cyber risk assessments. This methodology will set a precedent by providing a set of criteria that assessors must observe when on engagement and against which maritime security can be measured."

"It is a very big step forward in normalising both expectations and requirements in the maritime space,” said Campbell Murray, CEO at the IMCSO.

Guide for cybersecurity practitioners

The methodology stipulates the needs under which the cybersecurity checks will be carried out

The methodology stipulates the conditions under which the cybersecurity assessments will be carried out. It acts as a legal and practical guide for cybersecurity practitioners who must adhere to the standards as a condition of their inclusion on the approved suppliers list, otherwise known as the Certified Supplier Registry, held by the IMCSO.

The Captain and crew undergoing the assessment will also be required to abide by the methodology and undergo pre-assessment training to become cyber-ready in order to better understand the process and its findings.

Operational technology standards

Testing will assess security across ten categories under the umbrella term of Operational Technology (OT), i.e., the hardware and software needed to monitor and control the physical processes of the ship. These include navigation, propulsion, electrical systems, communication, safety systems, cargo handling, environmental systems, and maintenance systems, human factors, and regulatory and compliance issues.

The assessment may be carried out at sea, onshore or a combination of the two. Currently, the only OT standards available to the sector are those associated with the manufacturing industry and very few directly assess OT.

Cybersecurity posture

In addition, it can often be difficult for shipping companies to objectively assess their OT suppliers

In addition, it can often be difficult for shipping companies to objectively assess their OT suppliers, as Murray explains: Third parties and the shipping companies share a dependency, with joint goals and integrated operations."

"Yet, with supply chain attacks on the rise, they represent a real risk to operations. This can strain the relationship but by applying a systematic approach through a standardised risk assessment, the company can rely upon the process to vet the cybersecurity posture of their suppliers for them.”

Key components of the IMCSO security testing methodology

  • Pre-Requisites: Rules of engagement, authorisation, scope of work, objectives, zones of testing.
  • Scope of Work: Outlines the project details and goals, signed by both parties.
  • Rules of Engagement: Guidelines for testing, including permitted hours and restrictions.
  • Authorisation and Legal Considerations: Compliance with laws and written stakeholder approval.
  • Testing Methodology: The approach used (e.g., black-box, white-box).
  • Deliverables: Expected outputs, such as reports and recommendations.
  • Timelines: Start and end dates, with key milestones.
  • Communication Plan: Points of contact and reporting protocols.
  • Risk Management and Contingency Planning: Plans to mitigate potential risks like downtime or data loss.
  • Confidentiality and Data Handling: Protecting sensitive data and results
  • Testing Activity: Performed by qualified personnel, with prompt reporting of critical issues.
  • Reporting: Clear and categorised reporting of security findings, including solutions.
  • Report Delivery: Secure and confidential delivery of the final report.

Cyber risk of the vessel

Reports will take a practical method with clear advice made in response to any security issues

Reports will take a practical approach with clear recommendations made in response to any of security issues or vulnerabilities. Outputs will be standardised under the methodology using qualitative metrics and this consistency will ensure the results for each vessel are comparable. 

The results will be used to profile the cyber risk of the vessel, the status of which will be recorded in the Cyber Risk Registry.

Cyber risk trends within the maritime sector

Shipowners are sensitive about sharing their vessel's data. The Cyber Risk Registry will serve as a valuable resource for stakeholders and relevant parties, including port authorities, insurance companies, and association partners, by providing insights into cyber risk trends within the maritime sector.

Additionally, it will support the broader industry—including the IMO, shipbuilders, management companies, and industry associations—by offering a trusted registry of vendors, qualified practitioners, and service providers to help vessels strengthen their cyber resilience and mitigate risks effectively.

Understand how converged physical and cybersecurity systems can scale protection.

Related white papers
Aligning physical and cyber defence for total protection

Aligning physical and cyber defence for total protection

Download
Combining security and networking technologies for a unified solution

Combining security and networking technologies for a unified solution

Download
System design considerations to optimize physical access control

System design considerations to optimize physical access control

Download
Related articles
How physical security consultants ensure cybersecurity for end users

How physical security consultants ensure cybersecurity for end users
How managed detection and response enhances cybersecurity management in organisations

How managed detection and response enhances cybersecurity management in organisations
Drawbacks of PenTests and ethical hacking for the security industry

Drawbacks of PenTests and ethical hacking for the security industry